Super Mario World "Completed" in Under 3 Minutes by Corrupting the RAM

Watch the video above, you won’t regret it. (the fun part starts at 1:12)

This is a Tool-Assisted Speed Run (TAS) of the Super Nintendo classic Super Mario World. TASes use an emulator to perform optimal game actions with frame-by-frame precision in order to complete the game in the lowest amount of time, and can use “save states” to reverse any gameplay mistakes. Games on older consoles frequently have glitches that require such precision that consequently are very difficult to perform on a console consistently, making TASes more of an art form than actual gameplay advice.

So, for those who are wondering just what the f- happened… there’s a glitch that’s been known for a while, where Yoshi can end up in the “I have an item in my mouth” state, but not actually have an item in his mouth. When he spits out this nothingness, the game crashes. That’s all we knew about the glitch… until recently.

Somebody decided to take a debugging emulator and step through the crash. He discovered that the crash occurred because the game tried to jump to a specific address in memory, and execute code there. That address did not contain code, and so the system crashed.

But wait a second. What if, by some sheer coincidence, that address did contain code? The specific address dropped him in somewhere amongst various data for the game’s internal random number generator, and the random number generator can be manipulated in a TAS. Could the game be coerced into running arbitrary code?

Well, as it turns out, it’s extremely limited. You have the RNG state and a few sprite positions that can be manipulated, but after that is some internal game stuff that can’t be. So the length of the “program” is extremely limited, but as it turns out, it’s just long enough to send the signal to the game to switch to the “The End” screen.

There’s a related glitch where you can spawn a bouncing fish by doing certain odd things as you spit out an item as Yoshi, and every time a fish bounces, it uses up a randomly-generated number (since it bounces in a random direction). So, putting it all together, you have to spawn a billion fish and have them all bounce a f-jillion times to get the RNG in just the right spot, leave the area, and then fiddle around with some objects to get the last few bits you need in the right place, all while setting up the original spit-nothing glitch in the first place.

Crazy, isn’t it?

I Call Hax!

This SMW TAS, posted in 2011, was so crazy that it inspired the creation of a new category of speed runs: “Corrupts Memory.” The discussion on the speed run provides a technical explanation of of the glitch, which started a debate: “does this count as a speed run?” (96% of voters said yes.)

To be fair, this is far from the first time where manipulated RAM has been used to complete a game. The classic Nintendo 64 title Legend of Zelda: Ocarina of Time has the infamous Reverse Bottle glitch that allows players to transform items into others, and a memory glitch that teleports you from the first dungeon to the final cutscene, In Pokemon on the GameBoy, players discovered how to reprogram the game to run arbitrary code, but many gamers may remember the classic Missingno glitch, which was very easy to reproduce on an actual console and provided many beneficial effects.

Still, it’s not every day that spawning a ton of fishes out of mid-air = victory.

If you liked this blog post, I have set up a Patreon to fund my machine learning/deep learning/software/hardware needs for my future crazy yet cool projects, and any monetary contributions to the Patreon are appreciated and will be put to good creative use.